Microsoft Cloud Authors: Andreas Grabner, Stackify Blog, Liz McMillan, David H Deans, Automic Blog

Related Topics: Microsoft Cloud, Microservices Expo, Containers Expo Blog, Cloud Security

Microsoft Cloud: Tutorial

RDP Exploitation Using Cain

Cain has the ability to do a man in the middle attack against the RDP “Remote Desktop Protocol”

The Microsoft Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Windows-based applications running on a server.  RDP is designed to support different types of network topologies and multiple LAN protocols.  Remote Desktop Services formerly know as Terminal Services on Windows 2000 Server allow a server to host multiple, simultaneous client sessions.  Remote Desktop uses Remote Desktop Services technology to allow a single session to run remotely.  Thus a user can connect to a Remote Desktop Session Host server by using Remote Desktop Connection (RDC) client software.

Cain has the ability to do a man in the middle attack against the RDP “Remote Desktop Protocol”.  Cain is compiled using Microsoft Visual C++ and linked as a single executable file named “Cain.exe”.  Developed with a simple Windows graphical user interface, its main purpose is to concentrate several hacking techniques and proof of concepts providing a simplified tool focused on the recovery of passwords and authentication credentials from various sources.

Windows 2008 R2 has added some remote desktop services to its server such as RemoteApp, RD gateway, and RD Visualization Host.  The windows server role now provides increased flexibility to deploy individual applications or full desktops via RDS or a VDI solution.  The following is a list of Windows 2008 R2 individual applications that are available to users over the Remote Desktop Protocol (RDP).

  1. Remote Desktop Virtualization
  2. Remote Desktop IP Virtualization
  3. RDP & Remote Desktop Connection version 7.0
  4. Fair Share CPU scheduling
  5. Windows Installer compatibility
  6. True multiple monitor support for up to 16 monitors
  7. RDS Provider for PowerShell

With these new improvements the door is open for potential security issues depending on how you deploy RDS.  So RDS included a number of security mechanisms to help make RD connections more secure such as Network Level Authentication (NLA), Transport Layer Security (TLS), Group Policy, RD Web Access, and RD Gateway. 

NLA requires that the user be authenticated to the RD Session Host server before a session is created.  This helps protect the remote computer from malicious users and malware.  The client computer must be at Windows XP service pack 3 or above to use NLA.  Transport Layer Security (TLS) can use one of three security layers for protecting communications between the client and the RDS Session Host server:

  • RDP security layer – uses native RDP encryption and is least secure
  • Negotiate – TLS 1.0 (SSL) encryption used if the client supports it
  • SSL – TLS 1.0 encryption will be used for server authentication and encryption of data sent between the client and Session Host server.  This is the most secure.  You will need a digital certificate, which can be issued by a CA or self-signed.

This security can be all for not with some lax controls and an effective formidable foe using Cain on your network segment.  Cain runs on windows machines (Windows 9x & Windows NT/2000/XP) below is a screenshot of the interface. (see figure #1)

In this tutorial I have Cain running on a Windows XP machine and placed in the same network segment as a Windows 7 machine that is communicating with a Windows 2008 R2 server.  Below is a list of the IP address assignments.

Figure 1: Cain screenshot

Windows 7                
Windows XP (Attacker)
Windows 2008 R2   

When you fire up Cain you will be given a gui interface with a list of decoders, network, sniffer, cracker, traceroute, CCDU, wireless, and query tabulated across the top.  The first thing you want to do is select you interface by clicking on the sniffer icon at the top.  If you have more than one interface then you need to select the appropriate interface for your work.  This will start the sniffer and allow you to see what devices are available on the network segment (see Figure #2). 

Next you can select what devices you would like to sniff traffic to and from (see Figure #3).  Now you are ready to arp poison the network segment between your Windows 7 and Windows 2008 R2 Server by clicking on the radioactive button you will notice the status will change from idle to poisoning (see Figure #4).

Figure 2: Devices available on network segment

Now that the attack is set we need to go to our Windows 7 client and RDP into our Windows 2008 R2 server.  Now if you are doing this on a recent installation of Windows 2008 R2 server than you will have no problems within the first 120 days.  After that the grace period is over and a license server needs to be installed and activated.  But if your company is like most that I have worked for then money is tight and if there is a way found to get around purchasing a license all the better.  A Client Access License (CAL) is required for each client requiring access to Windows Server 2008 Terminal Services.  Once installed you can utilize the features I listed above to secure your RDP sessions.  But if your like most organizations you can always find a way around this license requirement.

Figure 3: Select devices you want to sniff traffic to and from

When you try connecting to the Windows 2008 R2 Server after the 120 day grace period via RDP you will get this error message if you don't have your Client Access License setup and configured (see Figure #5).

Figure 4: Status change from idle to poisoning

Figure 5: Error message

The remote session was disconnected because there are no Remote Desktop License Servers available to provide a license.  Please contract the server administrator.  Now when the client in this case the Windows 7 machine – connects to an RD Session Host server it determines if an RDS CAL is needed.  The server then request an RDS CAL from a Remote Desktop license server on behalf of the client (Windows 7) and issued to the client and able to connect to the RD Session Host server (Windows 2008 R2).  But windows allows for 2 RDP sessions to the host machine even without the license server.  Network Administrators who do maintenance on servers (ie check status, run updates, etc) can RDP in  with the admin command like so: mstsc /v: IP_or_hostname /admin

Make sure there is a space after the IP address and before the /admin.  Many Network Administrators using this function disregard the identity of the remote computer warning message and connect anyway. (see Figure #6)

Figure 6: mstsc command and RDP warning message

Now we can connect from our Windows 7 client to our Windows 2008 R2 Server using RDP (see Figure # 7).

Figure 7: RDP login screen

Once we are provide the login information and password we are given access to our Windows 2008 R2 Server (see Figure #8).  Now lets go back and see what information Cain has saved for us running on our attack machine Windows XP (see Figure #9)

Figure 8:  Administrator Desktop of Windows 2008 Server R2

Figure 9: Files saved in ARP RDP (2)

This file that is saved pulls out keystrokes from the decrypted log file made by Cain and you can do this by hand or you can get the script by Adrian Crenshaw owner of irongeek.com.  The script is written in AutoIt v3 and works quite well.  Here is a screenshot of the parsed file run through Adrian's script (see Figure #10).

Figure 10: log parsed with Adrian's script

References on the Web:


Let pbnetworks get your pen test on target

Visit us and learn how http://pbnetworks.net
How secure is your network?

More Stories By David Dodd

David J. Dodd is currently in the United States and holds a current 'Top Secret' DoD Clearance and is available for consulting on various Information Assurance projects. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference and SDISSA, is a member of InfraGard, and contributes to Secure our eCity http://securingourecity.org. He works for Xerox as Information Security Officer City of San Diego & pbnetworks Inc. http://pbnetworks.net a Service Disabled Veteran Owned Small Business (SDVOSB) located in San Diego, CA and can be contacted by emailing: dave at pbnetworks.net.

@ThingsExpo Stories
The Internet giants are fully embracing AI. All the services they offer to their customers are aimed at drawing a map of the world with the data they get. The AIs from these companies are used to build disruptive approaches that cannot be used by established enterprises, which are threatened by these disruptions. However, most leaders underestimate the effect this will have on their businesses. In his session at 21st Cloud Expo, Rene Buest, Director Market Research & Technology Evangelism at Ara...
"When we talk about cloud without compromise what we're talking about is that when people think about 'I need the flexibility of the cloud' - it's the ability to create applications and run them in a cloud environment that's far more flexible,” explained Matthew Finnie, CTO of Interoute, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
Artificial intelligence, machine learning, neural networks. We’re in the midst of a wave of excitement around AI such as hasn’t been seen for a few decades. But those previous periods of inflated expectations led to troughs of disappointment. Will this time be different? Most likely. Applications of AI such as predictive analytics are already decreasing costs and improving reliability of industrial machinery. Furthermore, the funding and research going into AI now comes from a wide range of com...
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex software systems for startups and enterprises. Since 2009 it has grown from a small group of passionate engineers and business...
SYS-CON Events announced today that GrapeUp, the leading provider of rapid product development at the speed of business, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market acr...
SYS-CON Events announced today that Ayehu will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara California. Ayehu provides IT Process Automation & Orchestration solutions for IT and Security professionals to identify and resolve critical incidents and enable rapid containment, eradication, and recovery from cyber security breaches. Ayehu provides customers greater control over IT infras...
In this presentation, Striim CTO and founder Steve Wilkes will discuss practical strategies for counteracting fraud and cyberattacks by leveraging real-time streaming analytics. In his session at @ThingsExpo, Steve Wilkes, Founder and Chief Technology Officer at Striim, will provide a detailed look into leveraging streaming data management to correlate events in real time, and identify potential breaches across IoT and non-IoT systems throughout the enterprise. Strategies for processing massive ...
SYS-CON Events announced today that Cloud Academy named "Bronze Sponsor" of 21st International Cloud Expo which will take place October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara, CA. Cloud Academy is the industry’s most innovative, vendor-neutral cloud technology training platform. Cloud Academy provides continuous learning solutions for individuals and enterprise teams for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most popular cloud com...
In his session at Cloud Expo, Alan Winters, an entertainment executive/TV producer turned serial entrepreneur, presented a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to ma...
SYS-CON Events announced today that Enzu will exhibit at SYS-CON's 21st Int\ernational Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Enzu’s mission is to be the leading provider of enterprise cloud solutions worldwide. Enzu enables online businesses to use its IT infrastructure to their competitive advantage. By offering a suite of proven hosting and management services, Enzu wants companies to focus on the core of their ...
We build IoT infrastructure products - when you have to integrate different devices, different systems and cloud you have to build an application to do that but we eliminate the need to build an application. Our products can integrate any device, any system, any cloud regardless of protocol," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA
SYS-CON Events announced today that IBM has been named “Diamond Sponsor” of SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California.
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business - from apparel to energy - is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
Amazon started as an online bookseller 20 years ago. Since then, it has evolved into a technology juggernaut that has disrupted multiple markets and industries and touches many aspects of our lives. It is a relentless technology and business model innovator driving disruption throughout numerous ecosystems. Amazon’s AWS revenues alone are approaching $16B a year making it one of the largest IT companies in the world. With dominant offerings in Cloud, IoT, eCommerce, Big Data, AI, Digital Assista...
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists looked at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deliver...
In his session at @ThingsExpo, Eric Lachapelle, CEO of the Professional Evaluation and Certification Board (PECB), provided an overview of various initiatives to certify the security of connected devices and future trends in ensuring public trust of IoT. Eric Lachapelle is the Chief Executive Officer of the Professional Evaluation and Certification Board (PECB), an international certification body. His role is to help companies and individuals to achieve professional, accredited and worldwide re...
With the introduction of IoT and Smart Living in every aspect of our lives, one question has become relevant: What are the security implications? To answer this, first we have to look and explore the security models of the technologies that IoT is founded upon. In his session at @ThingsExpo, Nevi Kaja, a Research Engineer at Ford Motor Company, discussed some of the security challenges of the IoT infrastructure and related how these aspects impact Smart Living. The material was delivered interac...